PDA

View Full Version : Antivirus Experts needed!


FastRedPonyCar
09-26-08, 11:06 AM
OK so we've been having some issues recently with viruses that users don't know about showing up on our network via thumbdrives and portable harddrives.

We're using Symantec 10.2.xx right now and I was able to disable symantec's auto protection, download the EICAR test virus

http://www.rexswain.com/eicar.html

And download it both unzipped and the zipfile to a thumb drive... I re-enable auto protect and NOTHING. Plugged the thumb drive into another system with the latest definitions and nothing. Norton is quiet as a mouse.

Now I've disabled autoprotect once again, moved the eicar.com file onto my desktop and re-enable auto protect.... half an hour later, nothing.. not a peep.

We need a PROACTIVE solution that can look at not only thumb drives but quietly always be on the lookout in the background for suspcious activity.


In all fairness, it DOES come up when I try and download the file to my hdd, it says not so fast and auto protect kicks in. Same as when I try and unzip the file to my hdd or thumbdrive. It does it's thing but it required user interaction... there are a lot of viruses and worms that DONT require me to do ANYTHING to them.

If someone has such a worm or virus on their thumbdrive and bring it to work and plug it in, the malicious file has a playground to do it's dirty work without norton ever blinking an eye. :headexplode:

AthlonXP1800
09-27-08, 01:56 AM
Norton Internet Security 2009 has PROACTIVE feature built-in. I tested on a VirtualPC downloaded eicar virus file from eicar.com and NIS2009 blocked it when auto protect is enabled and the same thing happened when downloaded the zip file and extracted to folder on the desktop. When I disabled auto-protect it did nothing when extracted to a folder then I looked at NIS2009 settings and noticed both AntiVirus and Advanced Protection was off. I tried turned on Advanced Protection and see what happened, when it turned on, both AntiVirus turned on and the auto-protect enabled. Then I tried turned off Advanced Protection then both turned off and I turned on AntiVirus, see Advanced Protection still off and Auto-protect still disabled. I tested extracted the zip file to a folder and NIS2009 blocked it when Auto-protect is disabled. :D

Symantec 10.2.xx is old version, here is new version 11 available which now have PROACTIVE feature so I suggest you to upgrade to the latest version. :)

FastRedPonyCar
09-27-08, 09:12 AM
Norton Internet Security 2009 has PROACTIVE feature built-in. I tested on a VirtualPC downloaded eicar virus file from eicar.com and NIS2009 blocked it when auto protect is enabled and the same thing happened when downloaded the zip file and extracted to folder on the desktop. When I disabled auto-protect it did nothing when extracted to a folder then I looked at NIS2009 settings and noticed both AntiVirus and Advanced Protection was off. I tried turned on Advanced Protection and see what happened, when it turned on, both AntiVirus turned on and the auto-protect enabled. Then I tried turned off Advanced Protection then both turned off and I turned on AntiVirus, see Advanced Protection still off and Auto-protect still disabled. I tested extracted the zip file to a folder and NIS2009 blocked it when Auto-protect is disabled. :D

Symantec 10.2.xx is old version, here is new version 11 available which now have PROACTIVE feature so I suggest you to upgrade to the latest version. :)

wellll..... its not as simple as running out and buying it on the store shelf... it's for an entire military base hahahah :o

nekrosoft13
09-27-08, 02:33 PM
http://img137.imageshack.us/img137/1/clipboard01vq9.jpg

AthlonXP1800
09-27-08, 07:19 PM
wellll..... its not as simple as running out and buying it on the store shelf... it's for an entire military base hahahah :o

wellll you dont have to running out to the store, you can either buy or upgrade to Symantec Endpoint Protection 11.0 for discount online at Symantec website. I didnt bought Norton Internet Security 2009 as it cost 45 in stores while I bought it at Symantec website online for just 21 with discount. :D

FastRedPonyCar
09-29-08, 07:54 AM
We have to use a coporate solution. Right now, 10.2 is the most current corporate version.

http://www.symantec.com/business/antivirus-corporate-edition

You see, we have over 13,000 computers on our network so it's a bit more complicated than just downloading an update or new version. We'd have to test it and ensure that our symantec servers can maintain the new version correctly (see, I don't know if version 11 even gives you the option to have it managed by a parent server or not) and if our servers software version can talk with and take care of a machine with version 11.

nekrosoft13
09-29-08, 09:45 AM
We have to use a coporate solution. Right now, 10.2 is the most current corporate version.

http://www.symantec.com/business/antivirus-corporate-edition

You see, we have over 13,000 computers on our network so it's a bit more complicated than just downloading an update or new version. We'd have to test it and ensure that our symantec servers can maintain the new version correctly (see, I don't know if version 11 even gives you the option to have it managed by a parent server or not) and if our servers software version can talk with and take care of a machine with version 11.

from your link

For next generation antivirus protection, upgrade to Symantec Endpoint Protection 11.0, which combines Symantec AntiVirus with advanced threat prevention to protect endpoints from even the most sophisticated attacks.

10.2 is dead, and there will be no future upgraded, it was replaced with Endpoint Protection 11.

that is your next future upgrade

FastRedPonyCar
09-29-08, 09:50 AM
I found a copy of 11 w/endpoint on our network "testing software" and did a full install.

EICAR still sitting on my thumbdrive <_<


Most recent updates have been applied and proactive scan was set for 15 minute intervals and it's been an hour.



So back to my original problem here is that if an infected thumb drive or portable HHD gets plugged in, there's no scan done right away. THAT'S what I want to happen and if there's a virus on it, it has plenty of time to do whatever it wants with AV just sitting there with a thumb up its butt it seems.

ninelven
09-29-08, 08:42 PM
I would check out these in this order:

1) http://www.avira.com/en/pages/index.php

2) http://www.kaspersky.com

AthlonXP1800
09-30-08, 01:22 AM
So back to my original problem here is that if an infected thumb drive or portable HHD gets plugged in, there's no scan done right away. THAT'S what I want to happen and if there's a virus on it, it has plenty of time to do whatever it wants with AV just sitting there with a thumb up its butt it seems.

Looked like Endpoint Protection 11 not configured the way you wanted it. Check the settings to make sure that it check for virus when removable media is inserted enabled and also create custom scans to scan removable drives for viruses on thumb drive or portable HHD.

RejZoR
11-09-08, 06:53 AM
Antiviruses only scan accessed/modified files. Unless something or someone is accessing that very specific file on USB drive, nothing will detect it.
If you doubleclick it, it will be scanned. If there is an autorun located on USB drive and is pointing to that EXE (or whatever it is), it will be scanned.
Scanning everything because it's there is waste of resources. Thats why no one does it.
So don't worry about it.

einstein_314
11-17-08, 11:53 PM
Antiviruses only scan accessed/modified files. Unless something or someone is accessing that very specific file on USB drive, nothing will detect it.
If you doubleclick it, it will be scanned. If there is an autorun located on USB drive and is pointing to that EXE (or whatever it is), it will be scanned.
Scanning everything because it's there is waste of resources. Thats why no one does it.
So don't worry about it.
That's what I thought. It only gets scanned when it gets accessed. Whether by user interaction or automatically. ie autoruns etc. If you have a virus on your flash drive and you plug it in, it's not going to infect your computer until you try to do something with it. (That I'm aware of anyways). And as soon as you do try to do something to it (ie move, copy, open, etc) it will be detected and dealt with.

Drolfrawd
11-28-08, 04:20 PM
Persuade your IT masters to use nod32 business edition we dithed endpoint and all things symanticy.

No regrets

Bman212121
12-30-08, 07:01 PM
Actually I've been on the fence with NOD for the past few months. It was giving us grief earlier this year with domain logins. We figured that one out but just earlier today someone was getting a lot of pop-ups due to some DLL files registering themselves into IE. NOD didn't seem to pick up any of the files so I had to manually boot another OS just to delete the files because they were locked. Not 100% sure if I killed all of problem yet but none of the .exe's or .dll's that I pulled from that box seem to trigger NOD. It was still getting updates (Ver 3724 dated 12/30/08) so at least that part works.

I might have to try a test virus to see if the client is actually still working or not.

The funny thing is that antivirus and antispyware are two important pieces of software, and yet I've yet to find a solution that has really worked well. They all seem to have problems in some form or another.